22.5. Configuring SSSD to Provide a Cache for the OpenSSH Services

The System Security Services Daemon (SSSD) provides interfaces towards several system services, including OpenSSH. For details, see the documentation for SSSD in the System-Level Authentication Guide.
This section describes how you can configure SSSD to cache SSH keys for machines and users.

22.5.1. How SSSD Works with OpenSSH

OpenSSH is an SSH protocol implementation. OpenSSH creates secure, encrypted connections between two systems based on public-private key pairs that identify the authenticating entity. For details, see OpenSSH in the System Administrator's Guide.
SSSD can serve as a credentials cache for SSH public keys for machines and users. In this setup:
  1. OpenSSH is configured to reference SSSD to check for cached keys.
  2. SSSD uses an Identity Management (IdM) domain, and IdM stores the public keys and host information.

Note

Only Linux machines in the IdM domain can use SSSD as a key cache for OpenSSH. Other machines, including Windows machines, cannot.

How SSSD Manages Host Keys

To manage host keys, SSSD performs the following:
  1. Retrieves the public host key from the host system.
  2. Stores the host key in the /var/lib/sss/pubconf/known_hosts file.
  3. Establishes a connection with the host machine.
See Section 22.5.2, “Configuring OpenSSH to Use SSSD for Host Keys” for details on the required configuration steps.

How SSSD Manages User Keys

To manage user keys, SSSD performs the following:
  1. Retrieves the user's public key from the user entries in the IdM domain.
  2. Stores the user key in the .ssh/sss_authorized_keys file in the standard authorized keys format.
See Section 22.5.3, “Configuring OpenSSH to Use SSSD for User Keys” for details on the required configuration steps.

22.5.2. Configuring OpenSSH to Use SSSD for Host Keys

You can change the configuration on a per-user basis or for the whole system.
  1. Open the required configuration file.
    1. To change user-specific configuration, open the ~/.ssh/config file.
    2. To change system-wide configuration, open the /etc/ssh/sshd_config file.
  2. Use the ProxyCommand option to specify what command will be used to connect to the SSH client (the sss_ssh_knownhostsproxy utility with the required arguments and host name).
    For details on sss_ssh_knownhostsproxy, see the sss_ssh_knownhostsproxy(1) man page.
  3. Use the GlobalKnownHostsFile option to specify the location of the SSSD hosts file: /var/lib/sss/pubconf/known_hosts. This file will be used instead of the default OpenSSH known_hosts file.
The following example configures SSH to look for public keys in the SSSD domain and connect over the supplied port and host: 
ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
For details on configuring SSH and on the configuration files, see the ssh_config(5) man page.

22.5.3. Configuring OpenSSH to Use SSSD for User Keys

You can change the configuration on a per-user basis or for the whole system.
  1. Open the required configuration file.
    1. To change user-specific configuration, open the ~/.ssh/config file.
    2. To change system-wide configuration, open the /etc/ssh/sshd_config file.
  2. Use the AuthorizedKeysCommand option to specify the command that will be executed to retrieve user keys.
  3. Use the AuthorizedKeysCommandUser option to specify the user under whose account the command will be run.
The following example configures SSH to run the sss_ssh_authorizedkeys utility under the account of user. 
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser user
For details on the sss_ssh_authorizedkeys, see the sss_ssh_authorizedkeys(1) man page.
For details on configuring SSH and on the configuration files, see the ssh_config(5) man page.